Accessing Enterprise Resources While Providing Denial-of-Service Attack Protection

Abstract

A method for accessing enterprise resources while providing denial-of-service attack protection. The method may include receiving, at a gateway from a client device, a request for a resource, the request comprising a location identifier associated with the resource. The method may further include redirecting, by a redirection message, the request to an authentication device that requests credentials for authentication, the redirection message comprising the location identifier. The method may also include retrieving, after authentication of the credentials, the location identifier from the client device. The method may additionally include providing access to the resource based on the location identifier.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS[0001]This application claims priority to U.S. Provisional Patent Application Ser. No. 61 / 823,096, filed May 14, 2013, entitled “Systems and Methods for Accessing Enterprise Resources While Providing Denial of Service Attack Protection,” which is incorporated by reference in its entirety.FIELD[0002]Aspects described herein generally relate to computing devices and computer networks. More specifically, aspects herein relate to interacting with enterprise-managed systems, application programs, and resources. Additionally, aspects herein relate to making enterprise resources both accessible and secure.BACKGROUND[0003]Many enterprise organizations (e.g., corporations, nonprofits, governments, etc.) maintain computer networks that allow enterprise users, such as employees, to access enterprise applications, data, and services (collectively known simply as “resources”). Enterprise resources may include hardware and software email applications, custom...

AI Technical Summary

Benefits of technology

[0010]Thus, in some embodiments, the specific requested enterprise resource identifier (such as URL) might not be stored by the access gateway before authentication. Rather, upon initiation of a request for access by an unauthenticated user, the access gateway provides an identification cookie as part of a redirection message to the requesting client device. In one embodiment, the identification cookie may include an identifier for the specific enterprise resource. This identifier can be obtained and used later once the client device is authenticated and securely in communication with the access gateway, such that the access gateway can obtain this information when needed without having to store it pre-authentication.

Problems solved by technology

This can be problematic in that the user then has to figure out how to access the specific enterprise resource from the common landing page, often resulting in a less than positive experience for the user.

But this solution can be problematic in that storage of the requested enterprise resource identifier consumes gateway resources (memory) and makes the gateway vulnerable to a denial-of-service attack.

A common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be essentially rendered unavailable.

In the case described above, if requested enterprise resource identifiers are stored by the gateway before user authentication, providing many requests for enterprise resources from unauthenticated rogue users could consume the storage capabilities of the access gateway and prevent it from servicing legitimate users.

Images